[Openid-specs-ab] Privacy Considerations

John Bradley ve7jtb at ve7jtb.com
Mon Jul 25 13:07:10 UTC 2011


The rub is that from a security point of view encryption of the user-info endpoint needs to be part of the original request or registration.

If dynamic in the user-info api then an attacker wouldn't ask for the response to be encrypted.

Signing being controlled by the user-info api would be OK.

John B.
On 2011-07-23, at 8:23 AM, Nat Sakimura wrote:

> Yes. In the full spec, asking at the request time is an obvious solution. But the Lite does not have a way to do it apart from the out of band return_to registration time as it does not have claims syntax. 
> 
> =nat via iPhone
> 
> On 2011/07/23, at 5:14, John Bradley <ve7jtb at ve7jtb.com> wrote:
> 
>> I don't know that it is practical to register purpose of use at registration.
>> 
>> I was thinking that that would eventually become part of the claim request meta-data, along with value and required trust framework etc.
>> 
>> It makes the request larger but is more flexible.  
>> 
>> The other place to list that would be in some third party certified meta-data.
>> 
>> I could see checking with a meta-data repository if a RP is certified for EU safe harbour,  and what attributes they are approved to collect.
>> That is sort of what Germany is doing now with there EID.
>> 
>> John
>> On 2011-07-23, at 4:02 AM, Nat Sakimura wrote:
>> 
>>> Hi. 
>>> 
>>> I have started to contemplate on the privacy considerations. 
>>> 
>>> Several questions arises: 
>>> 
>>> - When is the purpose of the use of the attribute determined? 
>>>     -> either the claim request, or the redirect_url registration time. 
>>> - Is it not a good practice to return the terms of use of the data with it? 
>>> - Is it not releasing too much information as a default? 
>>> - Should not the access log to the UserInfo made accessible to the user? 
>>> 
>>> Best, 
>>> 
>>> -- 
>>> Nat Sakimura (=nat)
>>> Chairman, OpenID Foundation
>>> http://nat.sakimura.org/
>>> @_nat_en
>>> 
>>> _______________________________________________
>>> Openid-specs-ab mailing list
>>> Openid-specs-ab at lists.openid.net
>>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110725/bbc1ffc3/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4767 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110725/bbc1ffc3/attachment.p7s>


More information about the Openid-specs-ab mailing list